How to best defend against DDoS attacks
Once the domain of political hacktivists and old-school protection racketeers, DDoS attacks are increasingly being used in common or garden data theft. Here’s what you need to know.
The distributed denial of service (DDoS) attack was once only ever really found in the arsenal of old school protection racketeers who had moved their ‘nasty things can happen, pay us to prevent them’ style of bully boy extortion schemes into the online domain. Initially, the target sector was almost exclusive online betting operations as these were easy pickings; block access to a site for a day and the cost to the company was such that most would willingly, if not gladly, pay a small ‘fee’ to make the problem go away.
Of course, the problem only went away until the next bunch of blackmailers turned up on the virtual doorstep. Pretty soon, online activists realised that they too could use this method of taking down sites and interrupting normal online service to show displeasure with, or attempt to change, organisations both commercial and political. Indeed, it’s true to say in many ways that the growth of hacktivism and the popularisation of easy to use DDoS exploit kits pretty much went hand in hand. It’s also true to say that it wasn’t long before the cyber-criminal fraternity in general realised that DDoS could benefit them by helping to ensure breaches went unnoticed.
So it certainly came as no surprise to me when I read in The Telegraph that an anonymous source, apparently with some inside knowledge of the attack on Carphone Warehouse, which led to data of more than 2 million customers being compromised, claims a DDoS attack was used prior to the main breach taking place. This kind of smokescreen tactic is very common, in breach attempts large and small, for one very good reason: it works.
I have personally seen DDoS rentals as low as £5 per hour on the Dark Market, although £20 per hour is a more realistic figure
The fact that it works is because by bombarding a target network with traffic in this way, the attackers are able to divert attention from the real nefarious activity taking place. It’s both simple and clever, with IT support teams being prioritised into fending off the ‘attack’ and keep the business up and running while at the same time the actual crime is being committed elsewhere unnoticed.
These multi-vector attacks are becoming the norm, and are very difficult indeed to defend against. Think about it, a DDoS attack may be a diversionary tactic for the cyber-criminal who is actually attempting to make off with your customer data but, and this the problematical bit from the defence perspective, it’s all too real an attack on the business nonetheless; and one that must be dealt with less the business suffers a costly downtime.
Of course, sit back and think about it and the problem of a diversionary DDoS attack is no different to the problem of a primary DDoS attack. It’s still a DDoS attack and it should be dealt with in exactly the same way, namely for DDoS defence to be an integral part of the corporate cyber security posture. If you still aren’t taking the threat seriously, then you are not listening and you are going to get burned. Badly burned.
I’ve already touched upon the reason for this, exploit kits and DDoS launchers are readily available for anyone who wants to use them for any purpose against any organisation. Not only is there so little skill involved in being able to use some of these tools that they have become, for all intents and purposes, point and click business interrupters, but they have also become fully commoditised.
You can buy a ready-made kit that will harvest the necessary resources (in terms of bots) and convert them into the DDoS weapon of your choice. You can also rent them, ready to fire at whatever target network you request, on an hourly basis; the longer the rental period, the cheaper the cost per hour.
I have personally seen DDoS rentals as low as £5 per hour on the Dark Market, although £20 per hour is a more realistic figure for a reasonably powerful botnet and a ‘reliable’ villain taking your money. Despite these seemingly low figures, some threat actors out there are making considerable sums of money through investing in botnet creation, whereby the resources (computers, routers, servers) of innocent individuals and business are compromised through infection to become part of their zombie-army. These botnets sit at the very heart of the success of the DDoS for hire market; the bigger the botnet, the bigger the attacks that can be launched or more simultaneous smaller attacks can be commissioned – either way it’s a win for the bad guys. More to the point, it’s a lose-lose for the victims of DDoS.
Stephanie Weagle from Corero Network Security, which is a specialist in DDoS protection, says that the ramifications of the damage are just as wide ranging as the attacks themselves, and include:
“Downtime affects the bottom line, directly and indirectly, and in principle, all types of damage could be rolled into this one. Effects vary widely across industries, and among firms within industries.”
Operational and productivity loss
“Network problems impact IT staff directly, and may impact some or all of the non-IT divisions. During full outages, workforce productivity comes to a halt. Troubleshooting, mitigation, and disaster recovery procedures are notoriously resource-intensive.”
“Your brand suffers if customers and business partners cannot access your site, become casualties of a breach, or simply experience diminished function or performance when interacting with your digital properties or online tools and assets.”
It’s obvious, therefore, that DDoS defence needs to be taken seriously. Or is it? A survey into security community concerns carried out at the 2015 Infosecurity Europe trade show in London by F5 Networks revealed that organisations run the risk of being too complacent when it comes to the DDoS attack threat. Most of the defence focus, it seems, is being aimed in the direction of application data breaches, network attacks and malware. All of which are important, no doubt about that, but when you see that 39% of those questioned admitted their organisation had already likely been targeted by a DDoS attack it doesn’t make a lot of sense to be ignoring this vector.
So what are organisations doing about DDoS? According to this survey of IT professionals it would seem that most (40%) think a firewall is sufficient, with 26% preferring the use of a web application firewall (WAF) for DDoS defence. Both those numbers being much higher than any investment in specific DDoS protection be that of the on or off premise variety.
Gary Newe, technical director for the UK at F5 Networks, says that these statistics are concerning on a number of levels: “I’m very surprised to see that DDoS attacks are no longer a top three concern for businesses” he says “as attacks are still coming thick and fast with an ever increasing level of sophistication. Businesses must continue to invest in protecting themselves against attacks of this kind.”
Arbor networks, another specialist in DDoS attack mitigation, has revealed that those attacks in the 1 gigabit per second band, which are now pretty much in the middle ground of the DDoS size spectrum, are growing strongly and overall the trend is towards increasingly more organisations facing these more powerful averages. Arbor, which collects data through the Active Threat Level Analysis System, which sees around 300 ISPs contributing live information every hour, reckons that around 21% of attacks in Q2 of 2015 were over 1Gbps in size, compared to around 17.5% in Q1.
So how can an organisation best defend against a DDoS attack? The traditional answer has been by throwing rather a lot of money and technical expertise at the problem, which tended to come by way enterprise-level web application firewalls and dedicated gateway appliances. When you start talking about load balancing systems, throwing in more expensive bandwidth than you need most of the time so as to be able to mitigate the effect if a DDoS attack is underway, you can see how the numbers go up. Getting the numbers down in terms of both cost and complexity is vital if more organisations are going to be able to properly adopt a strong DDoS defence posture. This is where another c word comes into the mix (no, not that one) and it’s the cloud.
Cloud-based DDoS mitigation services demand much less investment across the board: infrastructure, installation, maintenance and management. Even though a cloud-based system works by following the same principles as on-premise ones, namely monitoring and analysing traffic patterns so as to be able to trigger threat alerts, much as perimeter appliances would, the differences soon become clear in terms of application.
When a DDoS attack profile triggers the system to go into action, all potentially malicious traffic is routed away from your network through a ‘scrubber’ which is in the cloud. This cloud-based mitigation network filters, or scrubs, the traffic in real time and only allows clean packets to flow back into your network. Costs are further reduced as, with most such services, you only pay for the capacity that you use during such an attack rather than for having it on standby but unused all the time.
Speed and capacity (how quickly will the attack be spotted and how quickly can it be stopped, coupled with how large the scrubbing networks are) will determine the overall cost of the service. Be sure to ask your service provider for the speed and cost numbers, as paying for too much or not enough can be equally disastrous. Too little will cost less but be ineffective, too much and you are paying for something you don’t need that could cost more than the consequences of a DDoS attack itself. Questions like “how many Tier 1 global telecom carriers” and “do you piggyback DNS services on your DDoS mitigation network” are good to get started with. Oh, and enquire as to the cost of scaling up the mitigation as your business, and traffic requirements, grow.